Splunk
HTTP-SSESTDIOMCP server enabling AI agents to interact with Splunk through 20+ tools and workflows
MCP server enabling AI agents to interact with Splunk through 20+ tools and workflows
Enable AI agents to interact seamlessly with Splunk environments through the Model Context Protocol (MCP)
Transform your Splunk instance into an AI-native platform. Our community-driven MCP server bridges Large Language Models and Splunk Enterprise/Cloud with 20+ tools, 14 resources, and production-ready security—all through a single, standardized protocol.
🚀 NEW: AI-Powered Troubleshooting Workflows - Transform reactive firefighting into intelligent, systematic problem-solving with specialist AI workflows.
📖 Complete Setup Guide: Installation Guide
Before running the setup, configure your Splunk connection:
# Copy the example configuration cp env.example .env # Edit .env with your Splunk credentials # - Use your existing Splunk instance (local, cloud, or Splunk Cloud) # - OR use the included Docker Splunk (requires Docker)
Windows:
git clone https://github.com/deslicer/mcp-for-splunk.git cd mcp-for-splunk ```python # Start the MCP Server (project script) uv run mcp-server --local --detached # Verify the server uv run mcp-server --test # Optional: show detailed tools/resources and health output uv run mcp-server --test --detailed
macOS/Linux:
git clone https://github.com/deslicer/mcp-for-splunk.git cd mcp-for-splunk # (Recommended) Preview what would be installed ./scripts/smart-install.sh --dry-run # Install missing prerequisites (base: Python, uv, Git, Node) ./scripts/smart-install.sh # Start the MCP Server (project script) uv run mcp-server --local --detached # Verify the server uv run mcp-server --test # Optional: show detailed tools/resources and health output uv run mcp-server --test --detailed
💡 Deployment Options: The
mcp-servercommand will prompt you to choose:
- Docker (Option 1): Full stack with Splunk, Traefik, MCP Inspector - recommended if Docker is installed
- Local (Option 2): Lightweight FastMCP server only - for users without Docker
Note on Splunk licensing: When using the
so1Splunk container, you must supply your own Splunk Enterprise license if required. The compose files include a commented example mount:# - ./lic/splunk.lic:/tmp/license/splunk.lic:ro. Create alic/directory and mount your license file, or add the license via the Splunk Web UI after startup.
Transform your Splunk troubleshooting from manual procedures to intelligent, automated workflows using the MCP server endpoints:
# Discover and execute intelligent troubleshooting workflows result = await list_workflows.execute(ctx, format_type="summary") # Returns: missing_data_troubleshooting, performance_analysis, custom_workflows... # Run AI-powered troubleshooting with a single command result = await workflow_runner.execute( ctx=ctx, workflow_id="missing_data_troubleshooting", earliest_time="-24h", latest_time="now", focus_index="main" ) # → Parallel execution, expert analysis, actionable recommendations
🚀 Key Benefits:
📖 Read the Complete AI Workflows Guide → for detailed examples, workflow creation, and advanced troubleshooting techniques.
| Document | Purpose | Audience | Time |
|---|---|---|---|
| 🤖 AI-Powered Troubleshooting | Intelligent workflows powered by the workflow tools | All users | 5 min |
| Getting Started | Complete setup guide with prerequisites | New users | 15 min |
| Integration Guide | Connect AI clients | Developers | 30 min |
| Deployment Guide | Production deployment | DevOps | 45 min |
| Workflows Guide | Create and run workflows (OpenAI env vars) | Developers | 10 min |
| API Reference | Tool documentation | Integrators | Reference |
| Contributing | Add your own tools | Contributors | 60 min |
| 📖 Contrib Guide | Complete contribution framework | Contributors | 15 min |
| Architecture | Technical deep-dive | Architects | Reference |
| Tests Quick Start | First success test steps | Developers | 2 min |
list_workflows: Discover available troubleshooting workflows (core + contrib)workflow_runner: Execute any workflow with full parameter control and progress trackingworkflow_builder: Create custom troubleshooting procedures for your organization💪 Multi-Client Configuration Strength: One of the key advantages of this MCP Server for Splunk is its ability to support multiple client configurations simultaneously. You can run a single server instance and connect multiple clients with different Splunk environments, credentials, and configurations - all without restarting the server or managing separate processes.
Session-Based Isolation: Each client connection maintains its own Splunk session with independent authentication, preventing credential conflicts between different users or environments.
Dynamic Configuration: Switch between Splunk instances (on-premises, cloud, development, production) by simply changing headers - no server restart required.
Scalable Architecture: A single server can handle multiple concurrent clients, each with their own Splunk context, making it ideal for team environments, CI/CD pipelines, and multi-tenant deployments.
Resource Efficiency: Eliminates the need to run separate MCP server instances for each Splunk environment, reducing resource consumption and management overhead.
{ "mcpServers": { "splunk": { "command": "fastmcp", "args": ["run", "/path/to/src/server.py"], "env": { "MCP_SPLUNK_HOST": "your-splunk.com", "MCP_SPLUNK_USERNAME": "your-user" } } } }
{ "mcpServers": { "splunk-in-docker": { "url": "http://localhost:8002/mcp/", "headers": { "X-Splunk-Host": "so1", "X-Splunk-Port": "8089", "X-Splunk-Username": "admin", "X-Splunk-Password": "Chang3d!", "X-Splunk-Scheme": "http", "X-Splunk-Verify-SSL": "false", "X-Session-ID": "splunk-in-docker-session" } }, "splunk-cloud-instance": { "url": "http://localhost:8002/mcp/", "headers": { "X-Splunk-Host": "myorg.splunkcloud.com", "X-Splunk-Port": "8089", "X-Splunk-Username": "[email protected]", "X-Splunk-Password": "Chang3d!Cloud", "X-Splunk-Scheme": "https", "X-Splunk-Verify-SSL": "true", "X-Session-ID": "splunk-cloud-session" } } } }
from google.adk.tools.mcp_tool.mcp_toolset import MCPToolset splunk_agent = LlmAgent( model='gemini-2.0-flash', tools=[MCPToolset(connection_params=StdioServerParameters( command='fastmcp', args=['run', '/path/to/src/server.py'] ))] )
Quick links: Contributing · Code of Conduct · Security Policy · Governance · License
🚀 Quick Start for Contributors:
# Interactive tool generator (project script) uv run generate-tool # Browse existing tools for inspiration ./contrib/scripts/list_tools.py # Validate your tool implementation (project script) uv run validate-tools # Test your contribution ./contrib/scripts/test_contrib.py
📖 Complete Contributing Guide → - Everything you need to know about creating tools, resources, and workflows for the MCP Server for Splunk.
Windows users get first-class support with PowerShell scripts and comprehensive troubleshooting guides. See our Windows Setup Guide.
Choose your adventure:
Learn More: Model Context Protocol | FastMCP Framework